Hi, The version 6.5.x no longer accepts contributions (except security patches): https://apereo.github.io/cas/developer/Maintenance-Policy.html
So don't worry about submitting a PR. Thanks. Best regards, Jérôme Le ven. 28 oct. 2022 à 14:04, Dennis Sjögren <[email protected]> a écrit : > So... Running IntelliJ IDEA on a 2019 MacBook Pro with a 2,.6GHz 6-Core > Intel i7 is... interesting. Having it directly in your lap is not > recommended. Listening to the fans constantly at 5000 rpm is not as fun as > it sounds. :) (And being a developer in a completely different ecosystem > doesn't help.) > > Anyway, I found out that if you manage to set the *ForceAuthn* request > attribute in the *getRedirectionAction* method in > *DelegatedClientAuthenticationRedirectAction*.java > (cas-server-support-pac4j-webflow), the resulting redirect to Azure will > have *max_age=0* as a query parameter. Yay! > > I've been experimenting with setting a query parameter (for the > clientredirect call) in the *resolve* method in > *DelegatedClientIdentityProviderConfigurationFactory*.java > (cas-server-support-pac4j-core). This then gets carried over to the > aforementioned *getRedirectAction* method via the transient session > ticket. This works but I'm not sure if this is more of a "hack" or if it's > nearing something that would be acceptable to submit as a PR. > > Anyway. Back to experimenting. > > Regards, > Dennis > > > On Tuesday, October 25, 2022 at 7:59:32 PM UTC+2 Dennis Sjögren wrote: > >> Currently running v6.5.2. Planning on upgrading to latest 6.6.x soon. >> >> The thing is, initially CAS does the right thing with renew=true, i.e. >> redirecting to the authorize endpoint in Azure. My goal is that renew=true >> should translate to prompt=login. Is there anything *I* can do to influence >> this process? Besides learning Java and fixing it myself (which, depending >> on the complexity, I'm actually considering). :) >> >> However, I think I might have another problem. >> >> I did a "poor man's" fix by adding this: >> cas.authn.pac4j.oidc[0].azure.custom-params.prompt=login >> >> Then when my app is requesting re-auth (via renew=true), Delegated >> Authentication redirects to Azure and credentials are requested (forced by >> my setting above). However, then I get this: >> >> PROTOCOL_SPECIFICATION_VALIDATE_FAILED >> [Cas20WithoutProxyingValidationSpecification] is to enforce the [renew] >> CAS protocol behavior, yet the assertion is not issued from a new login >> >> So my suspicion is that even if I could translate renew=true to >> prompt=login in Delegated Authentication somehow, I would get stuck on this >> validation. Correct me if I'm wrong, but this must be an error? I mean, CAS >> is obviously aware of renew=true, but when Delegated Authentication returns >> the ST seems to be generated from the previously created TGT anyway? This >> could of course be by design - considering that there might not be a way >> for CAS to know if the delegated authentication client did request >> re-validation of credentials or not. That way, it would probably be better >> to send max_age=0, but that requires that CAS can validate the auth_time >> claim... >> >> I'm so close to getting this setup to where I want it to be... but this >> might just be a blocker. Gonna go look up the price of IntelliJ IDEA now. :) >> >> Regards, >> Dennis >> >> On Tuesday, October 25, 2022 at 5:56:49 PM UTC+2 CAS Community wrote: >> >>> It generally depends on what version of CAS (and pac4j) you run. Most >>> recent versions can handle protocol translations, such that renew=true is >>> ultimate translated to prompt=login or max_age=0 or something like that. >>> >>> On Tuesday, October 25, 2022 at 6:14:55 PM UTC+4 Dennis Sjögren wrote: >>> >>>> Hi, >>>> >>>> I've been experimenting with Delegated Authentication to Azure AD (via >>>> pac4j) and it works like a charm. The last day or so I've been searching >>>> for an answer to whether renew=1 can be propagated to the authorize call to >>>> Azure AD somehow. If I'm not mistaken, a parameter of prompt=login could be >>>> the way to go. >>>> >>>> When I test from a CAS enabled app, renew=1 seems to be forcing a new >>>> request to Microsofts authorize endpoint, but since I already have an >>>> active session in Azure, I'm not prompted for my credentials again. >>>> >>>> I've been looking into the CAS codebase for a configuration hint or >>>> something. I've been a full time developer for 25+ years, unfortunately not >>>> in Java - so needless to say, I'm not being particularly successful. :) >>>> >>>> So my question is: Is it possible to force re-validation of credentials >>>> using renew=1 when delegating to Azure AD? >>>> >>>> Regards, >>>> Dennis >>>> >>> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/dbda6d6b-14b3-4d3d-96ce-d22f19186338n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/dbda6d6b-14b3-4d3d-96ce-d22f19186338n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LxbCp_-_N0iPey0nny_Qq57VpN%3D5qD19mYaATEwYNJ_vQ%40mail.gmail.com.
